Privacy Policy

1. Introduction

At Narrato.space ("Narrato," "we," "us," or "our"), privacy isn't an afterthought; it is the foundation of our entire platform. We are building a protected digital environment for children, which means we treat data with the highest level of security and minimization.

This Privacy Policy explains what information we collect, where it lives, and your rights regarding that data.

2. Infrastructure & Hosting (Where Data Lives)

We operate a hybrid infrastructure designed to maximize security and performance while maintaining strict data sovereignty.

• The Landing Page (narrato.space): Our public-facing marketing website is hosted on Vercel. We have disabled Vercel Analytics; we do not track visitors on our marketing site beyond standard server logs required for security.
• The Core Application & Database: The actual application you access via browser (e.g., the Web Dashboard) or download to your device, along with all databases and media content (CDN), are hosted entirely on our own secure, self-managed server infrastructure. When you log in, you leave the Vercel-hosted environment and enter our secure ecosystem. Your application data is never processed or stored on Vercel's servers.
• App Stores: We distribute our mobile application via the Apple App Store and Google Play Store. These platforms may collect their own standard install telemetry, which is governed by their respective privacy policies.

3. Information We Collect

We only collect data that is strictly necessary to operate the service, ensure safety, and verify identity.

3.1. From the Child User

• Account Data: First Name (or Nickname), Age, Gender, and Country.
• School Link: If linked to a classroom, we store the School ID and Grade Level.
• User Generated Content (UGC): Drawings, stories, chat messages, voice messages, and "Likes" (Stickers) generated on the platform.
• Activity Data: Progress in games, "Stardust" balance, and reading logs.

3.2. From the Guardian

To comply with child safety laws (GDPR-K, COPPA), we collect verification data from the adult responsible for the account.

• Identity: Full Name, Age, and Physical Address.
• Contact: Email Address and Phone Number.
• Verification: Government ID details (if required for age verification or account recovery).

3.3. From Schools & Teachers

• Institutional Data: School Name, Address, and Verification Documents.
• Teacher Data: Professional Email, Name, and Classroom Roster assignments.

3.4. Technical Information

• Device Data: Device model, OS version, and unique device identifiers (necessary for account security and "Device Binding").
• Logs: IP address and access timestamps (retained strictly for security auditing and safety investigations).
• Cookies: We use strictly necessary cookies and local storage for authentication and performance settings. We do not use advertising or tracking cookies.

4. How We Use Your Information

We use the collected data for specific, limited purposes:

• To Provide the Service: Delivering messages, saving drawings, and syncing progress across devices.
• Safety & Moderation: Our AI, "Lily," analyzes text and images to detect bullying, grooming, or inappropriate content.
• Communication: Sending Guardians notifications about friend requests, safety alerts, or account updates.
• Performance: Analyzing crash logs to fix bugs.

5. Advertising

Default State: Narrato is ad-free by default. We do not use your data for behavioral advertising.

Opt-In Only: We may, in the future, introduce a limited form of advertising. We will use your data for this purpose ONLY IF the Guardian explicitly grants permission via the Parental Dashboard. Without this express consent, no data is used for marketing.

6. Data Retention & Deletion

6.1. Your Rights

Guardians have full control over the family's data via the Parental Dashboard:

• Access: You can view your child's drawings, chats, and friend lists.
• Download: You can request a full archive of your data.
• Deletion: You can delete the Child Account or the entire Parent Account.

6.2. Retention Periods

• Voluntary Deletion: If you delete an account, we retain data for 6 weeks (in case of accidental deletion or safety inquiries), after which it is permanently purged.
• Banned Accounts: If we terminate an account for safety violations (e.g., grooming), we retain data for at least 2 years and identity information indefinitely to prevent evasion.
• Legal Holds: Data involved in an active law enforcement investigation is retained until we receive official clearance to delete it.

7. Third-Party Data Sharing

We do not share data with third parties, except in these narrow circumstances:

• Service Providers: We use trusted infrastructure providers (e.g., for sending emails or processing payments) who are contractually bound to protect your data and use it only for that specific service.
• Law Enforcement: We are required to report illegal content (CSAM) or imminent threats to child safety to authorities (e.g., BKA, NCMEC). In these cases, safety takes precedence over privacy.

8. Cookies Policy

We use "Local Storage" and "Session Cookies" solely to keep you logged in and remember your preferences (e.g., "Dark Mode"). These are essential for the website to function. We do not use third-party analytics or advertising pixels.

9. Automated Translation

To provide optional, live translation of our content into German, we refer to the MyMemory API (provided by Translated). If you activate this feature, text segments from the page are sent to their servers for translation. This process is transient and no personal data is stored by the translation provider.

Please note that this is an experimental convenience feature offered "as-is."

10. Contact Us

If you have questions about this Privacy Policy or wish to exercise your data rights, please contact our Data Protection Officer: